LDAP SSO to database in XI3.1

Hi  All,
We are using XI3.1 and trying to find a solution for configuring LDAP single sign on to database and have not been able to find any material on that matter.
Is it possible to configure LDAP SSO to database (Oracle 11) natively? Or is there a third party tool like siteminder that can make that configuration work? Please let me know.
Thanks,
V

It should work natively.
In the CMC > Authentication > LDAP there is an option for propogate credentials at logon time. This option will cause LDAP users to have their username/pw cached in their user account (in fields called DBuser/DBpass). Then you must configure your reports to use these fields. If using reports based of universes you need to set the universe connection to use DB credentials, if crystal then it's a bit more complicated and you may need to log a case to get the instructions.
If using SSO on the front end with siteminder or trusted auth then the LDAP propogate option will not work (it requires users to key in their user/pw).
Regards,
Tim

Similar Messages

  • Portal LDAP SSO

    Our customer requires that their organization LDAP directory be used to forward login tickets to the Portal and that the Portal authenticate users based off of this login ticket.  Is this possible? I know Portal LDAP integration is possible (via the LDAP integration option in the Portal UME) but is it possible to authenticate directory users into the Portal without the Portal UME and LDAP integration?  The customer is opposed to having the Portal integrate into their LDAP and query users and groups which it will need to do for Portal/LDAP integration.  So here would be the authentication scenario: users log into their corporate intranet, they click on the SAP Portal link in the intranet, the Portal authenticates the user based off of their login ticket. 
    Is this possible?  Can someone please provide me with useful documentation and links to achieve this setup?

    ftoobe wrote:
    Is there not a way for the Portal to accept login tickets from the LDAP if its a trusted LDAP, and determine which roles to assign the users based off of the user's LDAP properties, and authenticate the users without the users actually existing in a different persistence store such as ABAP or Java UME?
    How shall this be done from a technical point of view? How shall a portal authenticate users that it does not know about and additionally assign roles to them? For me this sounds more like a dream than a technical idea.
    There are several user stores possible for the portal: ABAP system, LDAP, Portal database. Additionally you may configure spnego which means windows integrated authentication. So as soon as he is logged into windows he is also authenticated against the portal. He does not need to type in username and password again. Nevertheless also for spnego some user store in the portal is needed - mostly customers use the same LDAP like they use for their windows users.
    By the way: as soon as you know what you like to configure take a look at http://help.sap.com - user stores and sso possibilities are quite well documented.
    Anja

  • SSO to database

    We have Business Objects 3.1 SP2 FP2.3 running on Windows 2003 R2 SP2 64bits.
    CMS database on SQL 2005 x64
    Environment runs on Apache Tomcat
    Single Sign-On with kerberos on Active Directory is working fine.
    We have developers who want to use their Crystal Reports with SSO also and not use SQL authentication like they used to do in previous BO versions.
    In Windows AD Authenticaton of the CMC, I checked the option Cache security context (required for SSO database)
    In the Database Configuration of the Crystal Report we're testing, in the section "When viewing report", we selected Use SSO context for database logon
    Is there any other necessary configuration to be done in any config file?
    Not sure whether this should be added but in the krb5.ini file, I added the following value under libdefaults (just before the realms section): forwardable = true
    When I try to view the report, I get the following error message in InfoVIew:
    Error in File "testreport": Unable to connect: incorrect log on parameters: Details: [Database Vendor Code: 18456]
    For the same kind of report but with the option: "Use same database logon as when report is run", with SQL authentication parameters, everything is OK.
    DEV Environment: one InfoVIew FrontEnd server and one BO CMS server
    PROD Environment: one InfoView FrontEnd server and 2 BO clustered servers
    Regards
    Jay

    I think [this thread should get you going|SSO2DB / Use Database Credentials; about half way down I worte a response with links to setup the DB for kerberos.
    Regards,
    Tim

  • Apex Configuration with SSO on Database 11g

    Hi All,
    I am trying to configure Application Express with SSO on 11g and I have followed all the steps mentioned in http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
    My partner app configuration is
    Site ID: 0F32F8E1
    Site Token: JC54XU4Q0F32F8E1
    Encryption Key: 61443A93398DC472
    Single Sign-On URL: https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login
    Single Sign-Off URL: https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_logout
    Application Name: Insight Knowledge Manager on New Server
    Application Home URL: http://orclinsight.oraclecorp.com
    Application Success URL: http://orclinsight.oraclecorp.com/pls/apex/wwv_flow_custom_auth_sso.process_success
    Application Logout URL: http://orclinsight.oraclecorp.com
    After running the @custom_auth_sso.sql and @custom_auth_sso.plb and doing grant execute on wwv_flow_custom_auth_sso to public; I have also created an authentication scheme in APEX based on the pre-configured scheme on Apex as partner app
    this is the URL of the app.... http://orclinsight.oraclecorp.com/pls/apex/f?p=100:1
    if I type this URL, I get redirected to the SSO authentication page...however once I have filled the credentials.. it shows me the following error message
    *"The requested URL /pls/apex/wwv_flow_custom_auth_sso.process_success was not found on this server."*
    The result of this query select lsnr_token||':'||site_token||':'||site_id||':'||urlcookie_version||':'||encryption_key||':'||url_cookie_ip_check||':'||ls_login_url from wwsec_enabler_config_info$
    is
    'HTML_DB:orclinsight.oraclecorp.com:80:JC54XU4Q0F32F8E1:0F32F8E1:v1.2:61443A93398DC472:Y:https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login'
    and the result of begin owa_util.print_cgi_env; end; query in APEX - SQL Workshop is
    PLSQL_GATEWAY = WebDb
    GATEWAY_IVERSION = 2
    SERVER_SOFTWARE = Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server
    GATEWAY_INTERFACE = CGI/1.1
    SERVER_PORT = 80
    SERVER_NAME = orclinsight.oraclecorp.com
    REQUEST_METHOD = POST
    PATH_INFO = /wwv_flow.show
    SCRIPT_NAME = /pls/apex
    REMOTE_ADDR = 141.144.152.146
    SERVER_PROTOCOL = HTTP/1.1
    REQUEST_PROTOCOL = HTTP
    REMOTE_USER = APEX_PUBLIC_USER
    HTTP_CONTENT_LENGTH = 291
    HTTP_CONTENT_TYPE = application/x-www-form-urlencoded; charset=UTF-8
    HTTP_USER_AGENT = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
    HTTP_HOST = orclinsight.oraclecorp.com
    HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    HTTP_ACCEPT_ENCODING = gzip,deflate
    HTTP_ACCEPT_LANGUAGE = en-us,en;q=0.5
    HTTP_ACCEPT_CHARSET = ISO-8859-1,utf-8;q=0.7,*;q=0.7
    HTTP_REFERER = http://orclinsight.oraclecorp.com/pls/apex/f?p=4500:1003:1510257042232818::NO:::
    HTTP_ORACLE_ECID = 1258784987:64.181.227.33:7900:4328:22,0
    WEB_AUTHENT_PREFIX =
    DAD_NAME = apex
    DOC_ACCESS_PATH = docs
    DOCUMENT_TABLE = wwv_flow_file_objects$
    PATH_ALIAS =
    REQUEST_CHARSET = AL32UTF8
    REQUEST_IANA_CHARSET = UTF-8
    SCRIPT_PREFIX = /pls
    HTTP_COOKIE = [email protected]:insight_workspace; ORA_WWV_USER=BE50DD5881201806; IdcLocale=English-US; IntradocAuth=Internet; oracle.uix=0^^GMT+5:30^p; IntradocLoginState=1; IdcTimeZone=America/Chicago
    Please advise what should I do next or where I may be going wrong?
    Warm Regards,
    Anand

    Hi All,
    I am trying to configure Application Express with SSO on 11g and I have followed all the steps mentioned in http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
    My partner app configuration is
    Site ID: 0F32F8E1
    Site Token: JC54XU4Q0F32F8E1
    Encryption Key: 61443A93398DC472
    Single Sign-On URL: https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login
    Single Sign-Off URL: https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_logout
    Application Name: Insight Knowledge Manager on New Server
    Application Home URL: http://orclinsight.oraclecorp.com
    Application Success URL: http://orclinsight.oraclecorp.com/pls/apex/wwv_flow_custom_auth_sso.process_success
    Application Logout URL: http://orclinsight.oraclecorp.com
    After running the @custom_auth_sso.sql and @custom_auth_sso.plb and doing grant execute on wwv_flow_custom_auth_sso to public; I have also created an authentication scheme in APEX based on the pre-configured scheme on Apex as partner app
    this is the URL of the app.... http://orclinsight.oraclecorp.com/pls/apex/f?p=100:1
    if I type this URL, I get redirected to the SSO authentication page...however once I have filled the credentials.. it shows me the following error message
    *"The requested URL /pls/apex/wwv_flow_custom_auth_sso.process_success was not found on this server."*
    The result of this query select lsnr_token||':'||site_token||':'||site_id||':'||urlcookie_version||':'||encryption_key||':'||url_cookie_ip_check||':'||ls_login_url from wwsec_enabler_config_info$
    is
    'HTML_DB:orclinsight.oraclecorp.com:80:JC54XU4Q0F32F8E1:0F32F8E1:v1.2:61443A93398DC472:Y:https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login'
    and the result of begin owa_util.print_cgi_env; end; query in APEX - SQL Workshop is
    PLSQL_GATEWAY = WebDb
    GATEWAY_IVERSION = 2
    SERVER_SOFTWARE = Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server
    GATEWAY_INTERFACE = CGI/1.1
    SERVER_PORT = 80
    SERVER_NAME = orclinsight.oraclecorp.com
    REQUEST_METHOD = POST
    PATH_INFO = /wwv_flow.show
    SCRIPT_NAME = /pls/apex
    REMOTE_ADDR = 141.144.152.146
    SERVER_PROTOCOL = HTTP/1.1
    REQUEST_PROTOCOL = HTTP
    REMOTE_USER = APEX_PUBLIC_USER
    HTTP_CONTENT_LENGTH = 291
    HTTP_CONTENT_TYPE = application/x-www-form-urlencoded; charset=UTF-8
    HTTP_USER_AGENT = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
    HTTP_HOST = orclinsight.oraclecorp.com
    HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    HTTP_ACCEPT_ENCODING = gzip,deflate
    HTTP_ACCEPT_LANGUAGE = en-us,en;q=0.5
    HTTP_ACCEPT_CHARSET = ISO-8859-1,utf-8;q=0.7,*;q=0.7
    HTTP_REFERER = http://orclinsight.oraclecorp.com/pls/apex/f?p=4500:1003:1510257042232818::NO:::
    HTTP_ORACLE_ECID = 1258784987:64.181.227.33:7900:4328:22,0
    WEB_AUTHENT_PREFIX =
    DAD_NAME = apex
    DOC_ACCESS_PATH = docs
    DOCUMENT_TABLE = wwv_flow_file_objects$
    PATH_ALIAS =
    REQUEST_CHARSET = AL32UTF8
    REQUEST_IANA_CHARSET = UTF-8
    SCRIPT_PREFIX = /pls
    HTTP_COOKIE = [email protected]:insight_workspace; ORA_WWV_USER=BE50DD5881201806; IdcLocale=English-US; IntradocAuth=Internet; oracle.uix=0^^GMT+5:30^p; IntradocLoginState=1; IdcTimeZone=America/Chicago
    Please advise what should I do next or where I may be going wrong?
    Warm Regards,
    Anand

  • End to End SSO to Database

    Hi All,
    We are using Business Objects XI R2 SP2  and were using Vintella End to End SSO SSO with SQL Server 2005 Database.
    Yesterday we created a new service account for SQL Server and ran the SetSpn with this account.
    We are able to SSO to Infoview but when we are running crystal report on demand we are getting error "The database logon information for this report is either incomplete or incorrect"
    If we schedule the report and give database logon credentials it works fine.
    Are there any other changes that need to be done.
    Please assist.
    Thanks in advance for your help.
    V.

    Since you didn't change your bo config the problem is probably with Microsoft. Open a case with them if you have to. You can try opening a case with us as well to make sure there are no options on the BO side.
    Try putting this http://support.microsoft.com/?id=262177 BO server and SQL server
    Regards,
    Tim

  • LDAP/SSO with Crypt?

    Is it possible to have the SSO authenticating via LDAP with passwords encrypted with crypt? (UNIX) If so, how do I do that?

    Gaurav, a bit of clarification from my part :-D
    Okay, I just thought that the bind it performs is done by the proxy user who then retrieves the user password in encrypted form. My question is if it is possible to have encrypted user passwords in the DIT
    and how to tell the SSO/LDAP-thingy to pipe the result through crypt.
    null

  • Auto Logon with LDAP SSO

    Hi All,
    I am having EHP1 for NW 7.3 installed on windows 2008 R2 and I am trying to do SSO with ADS.
    I am following the  steps as below :
    1. Created administrator user user1 and disabled "Use Kerberos DES encryption type for this Account" and checked "Password never expire option"
    2. setspn -a HTTP/javahost.mydomain.com user1
    3. Logged into javahost:port/nwa
    4. Generated Keytab file in Domain server:
    ktab -a [email protected] -k keytab
    5. Imported the keytab into the JAVA system :
    http://javahost:port/spnego
    Kerberos Realm--> edit --> Keys--> Update Keys -> uploading keytab file --> browse --> selected file and IMPORT --> Save.
    6. Activate the REALM.
    7. Adjusted the authentication stack:
    EvaluateTicketLoginModule     SUFFICIENT
    SPNegoLoginModule              OPTIONAL
    CreateTicketLoginModule       SUFFICIENT
    BasicPasswordLoginModule     REQUIRED
    CreateTicketLoginModule       REQUIRED
    -->Save.
    8. Did the settings in the browser.When tried to open the URL http://<server>:<port>/XMII/Menu.jsp
    I am getting a windows authentication message as in the attached screen shot (Windows_auth)
    After that I can see the Logon page
    I am able to Login through LDAP User credentials.
    But how to by pass Logon page to directly go to Menu page?.
    Is there any other settings to be done at Server or net weaver level to Auto Authenticate?

    Hi All,
    I tried some workarounds which helped to skip Login page.
    But I it still prompts Windows security and "Upload Protected Area" boxes to enter credentials as shown in pictures.
    Please Help out to resolve this Issue.
    Regards,
    Vinothkumar G.

  • ADSI/LDAP :Map DB2 database sessions back to the Siebel session.

    Hello All,
    with ADSI/LDAP authentication we will have one and only one database account for all Siebel users and as a result all database connections are logged under the same database user ID. Therefore it is not possible to map database sessions back to the Siebel session. Is there a way to Achive this with DB2 9.1 Backend.
    Thanks,
    Abe

    tzomatz wrote:
    srckurs.no have two email accounts. Both working fine, and I can send and recve mail between them, and the outside.
    However, for the tholden.no domain, reciving of emails does not work. I can send them though.
    What can be the problem?
    virtual_mailbox_domains = srckurs.no
    But tholden.no is not configured (except in hostname which is for local @aurora.tholden.no users).

  • JDBC and LDAP Connect to database

    I am testing a little bit with jdbc thin client and how it should be setup with a ldap naming service (tnsManager). What I heard is that I need a special lib so JDBC can use the LDAP naming service but i have no clue. I have been looking around the internet but haven't really found anything. What do I need on the DB side to make it work?

    Not very sure .. may JNDI be used for connection using LDAP. cause JNDI is have a support for LDAP urls.
    http://download.oracle.com/javase/1.4.2/docs/guide/jndi/

  • LDAP/SSO Info?

    Where can I find info on how to configure/administer Login Server/SSO to use OID?

    Lisa,
    Please refer to the Oracle Portal FAQ at http://otn.oracle.com/products/iportal/htdocs/portal_faq.htm. You can also find a link to the FAQ at the top of the message list for this forum.
    Regards,
    Jerry

  • How to Identify database sessions used by forms sso user sessions?

    Hi:
    When using forms with SSO, all database sessions are opened by the same OSUSER (usually oracle), from the same machine (usually the forms server) and by the same program (usually [email protected] [TNS V1-V3]).
    I need a way to identify the database session (v$session) that is beeing used by a specific SSO user. By using SSO, we say implicitly that all users using that SSO resource will be connect to the database by a specific database user.
    So, what can I do to identify the database session that a specific forms user is using ?
    Thanks
    Joao Oliveira

    You could try something like the following in a when new form instance trigger:
    declare
    authenticated_username varchar2(30);
    begin
    authenticated_username := get_application_property(`sso_userid');
    DBMS_APPLICATION_INFO.SET_CLIENT_INFO (
    client_info IN VARCHAR2);
    end;
    This will store the sso userid in the client_info field of v$session.
    I hope this works for you.
    Randy McGregor

  • Using SSO to connect to database from J2EE

    I have an SSO enabled J2EE application and an SSO enabled database and I can connect to both of these applicatins using the single sign-on account.
    What I want to know is
    How do you get a J2EE application to connect to the database with the already connected SSO credentials?
    I am using Oracle 10g for both the app server and database
    Any help will be gratefully received.

    Hello,
    Also we have a simple how-to about database proxy authentication in the OC4J 10.1.3 How-tos page (see How-To Configure and Use Proxy-authentication with Data Sources ).
    Regards
    Tugdual Grall

  • Replication of data from LDAP to Oracle 10g Database

    Hi All,
    in our application we are using Oracle Identity manager, and Oracle 10g database.
    we are storing the user,profile and privilages in LDAP and due to some reason we have to create user table in the 10g database.
    this user table values and LDAP user table values must be same.
    here the source is LDAP and destination is Oracle.
    so is there any way we can synchoronize or replicate the data from LDAP to 10g database?
    since oracle identity manager is integrated with LDAP,
    i feeel this must be possible.
    but really dont know how?
    kindly suggest me.
    and if any examples available please let me know, i will be very greatful to you.
    Thanks in advance

    Check out thread How synchronize OID user to a table?
    The title of the thread is: How synchronize OID user to a table?

  • SSO with Custom LDAP

    This is the landscape :-
    Web Application / Portal at Oracle Web Center Suite (WCS).
    SAP BO 4.0
    Authentication using Custom LDAP & SSO with Trusted Authentication.
    Used OpenLDAP for authentication via RadiantOne VDS as the proxy.
    Activities :
    Authenticate the BO users with OpenLDAP via RadiantOne.
    Synchronize the BO user group from OpenLDAP via RadiantOne.
    Used openDocument.jsp to open WEBI reports.
    Problems :
    We configure the LDAP as Custom. Attributes mapping as default.
    When BOE trying to connect the RadiantOne VDS & create user u201Cuser01u201D which already exists in the OpenLDAP server. It throws the exception :
    "An internal error has occurred in the secLdap plugin.u201D
    When trying to create user that does not exist in LDAP. It throws the exception :
    u201CThe secLdap plugin failed to get the dn for the user notuser.u201D
    Please advise us how to resolved this internal error if we want to SSO with custom LDAP !!
    Thanks & regards,
    Herries E

    Hi,
    Herrie, Roland is correct, OpenLDAP is not supported and you can run into problems if you want to escalate issues in the future. The customer must have that into account.
    However, LDAP is pretty standard and usually you just need to make sure that the attribute mappings is correct.
    Are users correctly created when you map an LDAP group?
    Are you able to manually authenticate using LDAP? You can use the CMC page and select authentication LDAP
    When you have confirmed that LDAP manual authentication is working, you can set up Trusted Authentication. Check first that the system is working just using QUERY_STRING:
    https://service.sap.com/sap/support/notes/1593628
    When trusted auth is confirmed to work, you can configure the parameters that Radiant users to pass the user: cookies, web session, etc.
    Regards,
    Julian

  • LDAP AD with SSO XI 31

    Hi everybody
    I´m trying to configure LDAP AD with Single Sign On but in BO documentation only can find that this is possible with SiteMinder.
    Somebody plz can tell me how Configure LDAP SSO with SiteMinder? and if exists another way to do this without SiteMinder.
    Thanks.
    BO: XI 3.1
    SO: Windows Server 2003
    LDAP AD

    siteminder is a 3rd party app and configuration should be sought through their company's docs.
    If you have users that are authenticated with siteminder then we can auto log them into BO by either configuring the LDAP - siteminder plugin to the siteminder web agent. Requires 6x web agent running in 4x compatibility mode with a shared secret enabled.
    We can also pass the usernames using trusted authentication. requires the user parameter that siteminder uses to store the username (usually sm-user).
    If you plan to keep your CMS on windows then SSO is a piece of cake no and no 3rd party programs would be required. With the CMS on "nix" you will need to authenticate prior to accessing the BO system for any type of SSO. Honestly SSO is not the right description in both cases above it's trusted auth (passwords are never negotiated just usernames passed).
    Regards,
    Tim

Maybe you are looking for

  • Canopus ADVC 110 with FCE4.

    Hi all, does anyone know whether the Canopus ADVC 110 converter works on FCE4? On the specs they mention always about FCP, not FCE. By reading at the specs the device converts from analog/digital in DV, hence I think FCE4 should manage it to capture

  • Vendormaste creation in new gl

    hi friends Here my question is vendor master creation , before i was configure every thing correct i was checked every thing.while creating vendor master reconsilization not comine (sundry creditor) Moderator: Please, avoid asking basic questions

  • Finder can't access a mounted windows share - but the Terminal can...

    When I mount a drive using the finder's "Go / Connect to Server..." command I can choose the share to connect to and Finder mounts the share, puts it on the desktop etc... but then it tells me that: "The folder "Sharename" can't be opened because you

  • How do I wake my computer via ethernet?

    I have a PowerMac that is connected to a Laser printer and I have to keep it on all the time so my other computers can print from it, how do I make it where that computer will automatically wake up when somebody tries to print?

  • Whatis use of rfc

    1.what is use of rfc in sap. 2.can u tell about asap phases in sap hr for implementation